Using Operational Risk Management (ORM) to Improve Computer Network Defense (CND) Performance in the Department of the Navy (DON) [open pdf - 4MB]
"Operational Risk Management (ORM) has been credited with reducing the Navy's mishap rate to all time lows, especially in Naval Aviation. Through the use of a five-step process, ORM has been able to change the decision makers' paradigm of day-to-day operations in naval fleet units, making safety the paramount factor that would allow fleet commanding officers to conserve their assets, yet meet the requirement to train in high-risk environments. ORM is a process that mitigates the risk associated with the high-risk environment that naval fleet units operate in. Not unlike naval fleet units, our computer networks operate in a high-risk environment-the Internet Crackers are able to penetrate what were thought to be secure networks, and copy, modify, disrupt or destroy valuable information. The risk posed to the Navy's computer network systems is very great. Given the Navy's adoption of Network-Centric Warfare and the Navy-Marine Corps Intranet (NMCI), the hazards faced by the possible compromise of these computer network systems are as great as any a fleet unit would encounter in its normal operating environment. The objective of this thesis is to translate ORM practices into Information Assurance Risk Management (IARM) practices, and demonstrate IARM's utility in identifying, quantifying, and mitigating the security risks associated with computer networks."
Defense Technical Information Center (DTIC): http://www.dtic.mil/dtic/